Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Use Case 
Example Media Distributor 
Content Security Solution 
Commonly in Practice 
Delivery Solution 
Free/Public UGC 
...
Token / Signed URLs 
AES Encryption 
DRM 
Geoblocking 
Watermarking
AWS Direct Connect 
Elastic Load 
Balancing 
AWS Import/ Export 
Amazon S3 
AWS Storage Gateway 
Amazon EBS 
Amazon CloudF...
Sample AWS Architecture for VOD and Live 
Streaming 
Media File Amazon S3 
bucket 
Elastic Transcoder 
Amazon S3 
bucket 
...
•Global content delivery via 52 edge locations 
•On-Demand and Live Streaming 
•Supports both HTTP and RTMP streaming 
Nat...
Amazon S3 
(Media Storage) 
Amazon CloudFront 
End User 
HTTP 
________ 
HTTPS ONLY 
• Custom SSL certificate 
• CloudFron...
•Scalable, cost effective (per minute pricing) 
•Integrated with AWS services &tools (Amazon SNS, Amazon S3, IAM, AWS Clou...
•Support for Amazon S3 encryption at rest 
•Input and output media files can be encrypted 
•Keys protected via AWS Key Man...
Shared Responsibility Model
Facilities 
Physical security 
Physical infrastructure 
Network infrastructure 
Virtualization infrastructure 
Certificati...
Unique security credentials 
•Access keys, login/password, MFA device 
•Federated authentication (AWS Security Token Servi...
JW Plays Everywhere 
One video player for: 
(Mobile) web browsers 
Native mobile apps 
OTT platforms 
Consistent, cross-pl...
JW Player vs<video> 
Cross-Browser Support 
Consistent design across browsers & mobile devices. 
Polyfillsfor non-supporte...
JW Player & Security 
●CDN Tokening 
○Support for access tokens from all major CDNs, including CloudFront. 
●Domain Restri...
On-Demand Transcoding and Encrypted File 
Delivery 
Amazon S3 bucket 
CloudFront 
distribution 
Availability Zone a 
Elast...
https://github.com/arut/nginx-rtmp-module
nginx transcoder 
RTMP Stream 
Availability Zone a 
Amazon Route 53 
DNS Failover 
Availability Zonea 
EC2 Instance 
Avail...
Type 
Protocol 
Port Range 
Source 
HTTP 
TCP 
80 
0.0.0.0/0 
HTTPS 
TCP 
443 
0.0.0.0/0 
CustomTCP Rule 
TCP 
1935 
54.25...
rtmp{ 
server { 
listen 1935; 
chunk_size4096; 
application live { 
live on; 
record off; 
exec_pushffmpeg-irtmp://localho...
Please give us your feedback on this session. 
Complete session evaluations and earn re:Invent swag. 
http://bit.ly/awseva...
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
Upcoming SlideShare
Loading in …5
×

(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014

Media content, whether it be the latest blockbuster movie or a company's confidential webcasts, can be some of the most important assets for a media business. Storing, preparing, and delivering this content securely involves leveraging systems that can scale and ensure top-of-the-line security. Come find out how AWS can help you implement these workflows in the cloud using highly available, scalable, and secure cloud services such as Amazon S3 (storage), Amazon Elastic Transcoder (transcoding) and Amazon CloudFront (delivery).
We also discuss the underlying concepts of secure media delivery (e.g., policy-based DRM and signed URLs), the challenges faced by customers who need to design and implement these critical modules, and how to leverage the power of AWS to accomplish those while saving on costs. In addition, we take a deep dive into a media processing stack implemented on AWS using open source components to deliver encrypted HTTP Live Streams (HLS) to various devices.

  • Be the first to comment

(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014

  1. 1. Use Case Example Media Distributor Content Security Solution Commonly in Practice Delivery Solution Free/Public UGC Vimeo, WeVideo Open Prgressive DownloadsStreaming Free/Secure UGC WeVideo, YouTube Signed URLs Progressive DownloadsStreaming Ad Supported SonyCrackle, TMZ AES Encryption Signed URLs Mostly HTTP or RTMP streaming Premium Content (Live Linear or VOD) Netflix, Amazon Instant Video AES EncryptionSigned URLsDRM HTTP or RTMP streaming Pre-Released Content Studios Encryption WatermarkingDRM Mezzanine File transfer (mostly B2B) Proxy streaming
  2. 2. Token / Signed URLs AES Encryption DRM Geoblocking Watermarking
  3. 3. AWS Direct Connect Elastic Load Balancing AWS Import/ Export Amazon S3 AWS Storage Gateway Amazon EBS Amazon CloudFront Amazon CloudSearch Amazon SQS Amazon Elastic Transcoder Amazon EC2 Amazon EMR Amazon VPC Ingest/Create Store Amazon RDS Amazon Elasti- Cache Amazon Route 53 Deliver Process Amazon EC2
  4. 4. Sample AWS Architecture for VOD and Live Streaming Media File Amazon S3 bucket Elastic Transcoder Amazon S3 bucket CloudFront distribution RTMP Stream Media Servers on Amazon EC2
  5. 5. •Global content delivery via 52 edge locations •On-Demand and Live Streaming •Supports both HTTP and RTMP streaming Native support for Smooth Streaming •Set custom TTLs to cache all types of content •TCP optimizations •Customize content at the edge Detect device type, geo-location, language, etc.
  6. 6. Amazon S3 (Media Storage) Amazon CloudFront End User HTTP ________ HTTPS ONLY • Custom SSL certificate • CloudFront’s private content feature Only deliver content to securely signed requests • HTTPS ONLY requests/delivery, origin fetches • HTTP to HTTPS redirect at the edge • Signed URL verification Policy based on a timed URL or a CIDR block of the requestor • CloudFront Origin Access Identity (OAI) Delivery EC2 Instances Security Group Signed Request Amazon S3 (Logs Storage) "Effect":"Allow", "Principal":{ "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8" }, "Action":"s3:GetObject", "Resource":"arn:aws:s3:::example-bucket/*”
  7. 7. •Scalable, cost effective (per minute pricing) •Integrated with AWS services &tools (Amazon SNS, Amazon S3, IAM, AWS CloudTrail, and AWS SDK) •Codecs, processing, and licensing baked in •Outputs: Popular web formats such as MP4 with H.264/AAC and WebMwith VP8/Vorbis Adaptive bitrate formats such as HLS and Smooth Streaming •Audio only processing for inputs and outputs •Features include captions, visual watermarks, clipping, and more
  8. 8. •Support for Amazon S3 encryption at rest •Input and output media files can be encrypted •Keys protected via AWS Key Management Service •Encryption for HLS streams COMING SOON!
  9. 9. Shared Responsibility Model
  10. 10. Facilities Physical security Physical infrastructure Network infrastructure Virtualization infrastructure Certifications • SOC 1, SOC 2, & SOC 3 (SSAE16/ISAE 3402 audit) • ISO 27001 certification • PCI level 1 service provider • FedRAMP (FISMA) • AWS GovCloud (US) • MPAA best practices alignment Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare), FISMA (US federal government), DIACAP MAC III sensitive ATO, International Traffic in Arms Regulations (ITAR)
  11. 11. Unique security credentials •Access keys, login/password, MFA device •Federated authentication (AWS Security Token Service STS) Policies control access to AWS APIs •API calls must be signed by either:X.509 certificateor secret key Deep integration with other AWS services •Amazon S3: policies on objects and buckets •Amazon CloudFront: resource permissions
  12. 12. JW Plays Everywhere One video player for: (Mobile) web browsers Native mobile apps OTT platforms Consistent, cross-platform user interface, adaptive streaming, video advertising, media casting, and video analytics.
  13. 13. JW Player vs<video> Cross-Browser Support Consistent design across browsers & mobile devices. Polyfillsfor non-supported elements (e.g. , WebVTT). Flash fallback for non-HTML5 browsers (e.g. ,IE8). Premium User Interface Pixel-perfect skinning (fit your brand & site design). Interactivity (preview thumbnails, chapter markers, hot spots). Content discovery (social sharing and related videos overlays). Apple HLS on Desktops Adaptive, on-demand & live streaming with DVR support. Multiple audio-tracks and (live) closed captions languages. Fast (<500ms) startup time and frame-accurate seeking.
  14. 14. JW Player & Security ●CDN Tokening ○Support for access tokens from all major CDNs, including CloudFront. ●Domain Restriction ○Configure JW Player to only set up when detecting specific domains. ●HLS AES Decryption ○Play HD quality encrypted streams using external keys and/or rotation. ●No DRM yet, but … ○Browser support for HTML5 Encrypted Media Extensions (EME) is growing. EME currently works in Chrome(all platforms), Safari 8(Mac), and Internet Explorer 11(Win8).
  15. 15. On-Demand Transcoding and Encrypted File Delivery Amazon S3 bucket CloudFront distribution Availability Zone a Elastic Load Balancing EC2 Instance web app server Availability Zone b Media Owner Elastic Transcoder AWS Key Management Service Amazon S3 bucket EC2 Instance DynamoDB Key Name Base64 Encoded Key Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY… Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
  16. 16. https://github.com/arut/nginx-rtmp-module
  17. 17. nginx transcoder RTMP Stream Availability Zone a Amazon Route 53 DNS Failover Availability Zonea EC2 Instance Availability Zone b EC2 Instance Amazon CloudFront Amazon Route 53 DNS Failover Live Stream Failover Setup Elastic Load Balancing nginx transcoder Availability Zone b
  18. 18. Type Protocol Port Range Source HTTP TCP 80 0.0.0.0/0 HTTPS TCP 443 0.0.0.0/0 CustomTCP Rule TCP 1935 54.255.255.0/32
  19. 19. rtmp{ server { listen 1935; chunk_size4096; application live { live on; record off; exec_pushffmpeg-irtmp://localhost/live/$name -vcodeclibx264 -vprofilebaseline -g 5 -s 640x360 -acodeclibfdk_aac-ar44100 -ac 1 -f flvrtmp://localhost/hls/$name; } application hls{ live on; hlson; hls_path/tmp/hls; hls_fragment5s; # Use HLS encryption hls_keyson; # Use stream timestamp rounded to 250ms as fragment names hls_fragment_namingtimestamp; hls_fragment_naming_granularity250; # Store auto-generated keys in this location rather than hls_path hls_key_path/tmp/keys; # Prepend key urlwith this value hls_key_urlhttps://enter URL here/keys/; # Change HLS key every 2 fragments hls_fragments_per_key2; # Create identical fragments on different nginx instances for High Availability (without encryption) hls_fragment_slicingaligned; hls_cleanupon; } }
  20. 20. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

    Be the first to comment

    Login to see the comments

  • BOBSINM

    Nov. 18, 2014
  • takashiadachi735

    Nov. 30, 2014
  • anakin01040524

    Dec. 1, 2014
  • JoakimRydnSjstrand

    Mar. 5, 2015
  • fumamano

    Mar. 11, 2015
  • HyunsuYang

    Jan. 26, 2017
  • michaelagustin

    Apr. 10, 2018

Media content, whether it be the latest blockbuster movie or a company's confidential webcasts, can be some of the most important assets for a media business. Storing, preparing, and delivering this content securely involves leveraging systems that can scale and ensure top-of-the-line security. Come find out how AWS can help you implement these workflows in the cloud using highly available, scalable, and secure cloud services such as Amazon S3 (storage), Amazon Elastic Transcoder (transcoding) and Amazon CloudFront (delivery). We also discuss the underlying concepts of secure media delivery (e.g., policy-based DRM and signed URLs), the challenges faced by customers who need to design and implement these critical modules, and how to leverage the power of AWS to accomplish those while saving on costs. In addition, we take a deep dive into a media processing stack implemented on AWS using open source components to deliver encrypted HTTP Live Streams (HLS) to various devices.

Views

Total views

4,138

On Slideshare

0

From embeds

0

Number of embeds

919

Actions

Downloads

116

Shares

0

Comments

0

Likes

7

×